GDPR – Frequently Asked Questions & Answers For Hoteliers [UPDATED]

The GDPR (General Data Protection Regulation) replaces the 1995 EU Data Protection Directive and is the most significant piece of European data protection legislation to be introduced in the last 20 years. In short, the regulations are centred around protecting an individual’s rights regarding the collection and processing of their personal data, across Europe. They come into full effect on the 25th of May 2018 and a full copy of the regulations can be found here.

Why should hoteliers care? Here’s 3 key reasons;

Opportunity – The GDPR shouldn’t be seen as all ‘doom and gloom‘. These regulations level the playing field for those already acting responsibly with their data. They also offer an opportunity for you to improve your data capture methods, tidy up your marketing databases and show your customers that you respect their rights.

Negative brand perception – hoteliers that are observed to be irresponsible with customer data, or who flaunt the new regulations, could receive negative publicity.

Significant financial penalty – non compliance and an upheld complaint could result in fines of up to 4% of your global annual turnover or €20m, whichever figure is greater.

To help the hotel industry adapt to the new regulations, and work towards being fully compliant, Hotel Speak has compiled a list of frequently asked questions from hoteliers about GDPR, along with curated answers from leading hotel industry experts.

It’s important to note that these questions and answers are based on current interpretations of the GDPR, at the time of publishing. At present the regulations are words on paper, rather than enforceable law, with no precedents set.

This post will be added to as new questions emerge during the next few months, or as clarity emerges once the regulations are enforceable.

Got a question?

Add it to the comments below and Hotel Speak will reach out to our community for an answer.

The boring (but necessary) legal disclaimer

Hotel Speak, nor any of the contributors to this post, accept any liability for non-compliance as a result of following any of the advice within this post. This post is intended to help steer your approach to the GDPR but, with any regulatory change, it’s advisable to seek full and proper legal guidance to ensure compliance.

General Questions

Q. When does the GDPR come into effect?A. The 25th of May, 2018.

Q. What’s the difference between a Data Subject, Data Controller and Data Processor?
A. “Data Subjects” are individuals, resident within the EU. A “Data Controller” is any organisation that holds personal data about EU citizens (e.g. your customers’ names, etc.). A “Data Processor” is an organisation involved in processing & storing that information on the controller’s behalf. Note that under GDPR both Data Controllers and Data Processors can be held liable if there is a data breach and so both need to adhere by the regulation.

Q. GDPR? Isn’t this just like the cookie regulations (EuropeanUnion’s 2011 ePrivacy Directive)? That didn’t amount to much. Do we even need to bother doing anything?A. Yes! This is a far wider reaching regulation change than that of 2011. Non-compliance of GDPR can lead to serious fines – 4% of annual turnover or €20m. It’s also worth noting here that in contrast to previous regulations, the GDPR is a ‘regulation’ rather than a ‘directive’ – a binding legislative act, that must be applied in its entirety across the EU.

Q. Will GDPR enforcement vary by country?A. Yes, it’s anticipated that some regulatory bodies will enforce the regulations more strictly than others. It’s advisable to review your own country’s guidelines and documentation on enforcement for more information.

Q. What constitutes personal data?A. Personal data is any information that is related to a person (or ‘Data Subject’), that may be used to directly or indirectly identify the person. For example, a name, a photo, an email address, bank details, their posts on social networks etc.

Q. Our head office is outside of Europe, but we have hotels within Europe – do we still need to comply?
A. Yes, as per Article 3 of the regulation;

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union”

Q. We capture data from our customers in the EU, but process it outside of the EU. Does the GDPR still apply to us?A. Yes, as per Article 3 of the regulation;

“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

Q. We’re UK based. Surely Brexit means that UK companies don’t need to comply with GDPR?A. Firstly, the regulations will come into effect on the 25th of May 2018. The 2-year leave deadline of Brexit is April 2019, so there will be overlap. Secondly, even after Brexit, any UK companies that offer goods or services to EU residents will still need to comply, so as hoteliers, with guests from Europe – it’s highly likely that it will still apply to you.

Q. We offer some of our services for free – do we still need to comply?
Yes. Even if no money is exchanged, GDPR applies to the exchange of goods and services with EU residents.

Q. What does ‘consent’ actually mean? (in the context of obtaining an individuals consent to process their personal data)A. According to Article 4 of the GDPR, ‘consent’ of the data subject refers to “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Q. I’ve heard that an individual is entitled to request that we delete all their data at any point – is this true?A. Yes, you may have heard it being referred to as the ‘right to remove’. By the word of the GDPR, “the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.” Importantly, the regulations stipulate that “…it shall be as easy to withdraw as to give consent.”

Q.How does GDPR affect the software hotels can use? [Answered by ALICE]

A. All rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations that the hotelier has. Every single vendor who receives personal data from a hotel must share a Data Processing Agreement (DPA) with the hotelier to confirm that the vendor is compliant with the rules of the GDPR. The DPA must dictate the purposes for which the processor is processing the data.

If a hotel is using a software given to it by its brand or flag, it may not be in complete control of how the gathered information will be used. In that case, as joint controllers of the data, the hotel and its brand would need to draw up a contract that explicitly states their relationship with regards to managing data. Both parties would need to communicate the relationship to both guests and employees.

Q. Can EU hotels use software vendors or software on servers based outside the EU? [Answered by ALICE]

A. Yes, but there are limits to how data can be transferred outside of the EU/EEA. Most major cloud service providers and many other companies, such as ALICE, have systems in place to address these rules. To confirm that a cloud service is compliant with the GDPR, hoteliers need to make sure:

They have a Data Processing Agreement in place. These agreements are required for all data processors, not just international ones (GDPR Art.28[3]).

There is a lawful basis for transfering the data (GDPR Rec.39, 40, 41; GDPR Art.6[1]), which can be through the service provider’s membership in the Privacy Shield, signed standard contractual clauses, or other mechanisms allowed under the GDPR. Most companies will be relying on the GDPR’s standard contractual clauses.

The transfer is mentioned in the hotel’s privacy policy and the purpose of the transfer is explained.

Q. Do hoteliers or vendors need to encrypt their databases?[Answered by ALICE]

A. It depends. The GDPR recommends that companies take steps to protect all personal data, but it does not specify what those steps have to be. Instead, companies are asked to identify the risks to personal data and do what is appropriate for those risks. Encryption is one of many options available to protect data, but it is not specifically required by the GDPR.

Article 32 of the GDPR gives the following options, none of which are strict requirements, but which should be considered for their benefits to your guests’ data privacy:

the pseudonymisation [obscuring the identities] and encryption of personal data;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Google Analytics

Q. My website uses Google Analytics. Do I need to do anything, like update my privacy policy, or tell my users that I’m tracking them using Google Analytics? [Answered by 80 DAYS]

A. Google Analytics uses cookies to track your website visitors. With a ‘standard’ implementation of Google Analytics (i.e. you haven’t uploaded any of your own data etc.) these cookies should not contain any personally identifiable data.

As a suggestion, here’s the cookies that are tracked as part of a standard implementation for Google Analytics (in case you want to reference these in an updated privacy policy).

Cookie

Name

Purpose

Expires

_ga
_gat
_gid

Google Analytics

These cookies are essential for our site to anonymously track user behaviour so that we can better understand and improve upon the current user experience.

2 years

You may have also noticed, Google have added a notification to the top of Google Analytics to alert users of the ability to control data retention starting May 25th.

As helpful further reading, you can discover more about Google’s ‘commitment to GDPR’ here.

Q. When might Google Analytics not be GDPR compliant?
A. If you’ve uploaded your own data into Google Analytics that contains personally identifiable data, that may not be compliant. Occasionally, some websites are setup to include personally identfiable data within a URL too. For example, if your booking engine redirected an individual to the URL www.examplehotel.com/form?hotel=newyork&arrivaldate=”24-09-18&name=johnsmith&age=34 – that could be classed as personally identifiable data within Google Analytics and may therefore require special consideration. The team at Convert.com have put together a very useful article that goes into more depth on this, here.

Google AdWords

Q. We advertise our hotel using Google AdWords PPC advertising – do we need to seek consent for this? [Answered by 80 DAYS]
A. Like with Google Analytics, most data is anonymised and so no changes are required to be GDPR compliant. The slight exception to this is Customer Match advertising (i.e. where ads are targeted toward a defined list of email or mailing addresses); if you are to run this form of advertising, then customers would have to have given explicit consent for their personal data to be used in this way.

Data Capture

Q. Can we obtain consent by using check boxes/tick boxes and similar methods? [Answered by 80 DAYS]
A. Yes, the GDPR explicitly states that consent could include “…ticking a box when visiting an internet website”. However, it’s important to note that your website should be set up as ‘privacy by default’, i.e. you can’t have a tick box that states “signup to receive our newsletter” pre-checked. A user must actively opt-in through a clear, affirmative, action.

See below for an example of good/bad practice;

Q. Do I need to use double opt in when capturing email addresses on my website to comply with the GDPR?

A. From our interpretation of the GDPR as we understand it, you don’t need to have double opt-in enabled for email data capture. That said, with any data capture under GDPR, you must be able to show provable consent to use that data. Theoretically anyone could add someone’s email address into an email signup, so double opt-in does explicitly show that the specific user opts in (rather than being opted in by someone else). Therefore, while it may not necessarily be legally required, it does offer an additional level of compliancy and peace of mind.

Q. Do I need to have a link to my privacy policy wherever I’m capturing data?

A. This is a difficult question to answer. Currently, there’s no precedent to say that this is a legal requirement as the regulations are still words-on-paper rather than enforceable law. What is known is that when capturing data the user must be completely clear as to how their data is going to be used. Here it comes down to forward planning as best you can; what might you want to use that data for now, and in the future? Getting opt-in for everything now, will likely be easier than seeking additional permissions later.

Email Marketing & CRM

Q. My database has given me explicit consent to send them newsletters. Can I share their email address with a sister hotel to send them an offer? [Answered by Cendyn]
A. If you plan to share data with a sister hotel, this information must be visible and accessible within your privacy policy. Those who have consented for you to process their data should have had access to this privacy policy when opting in. If you are updating your privacy policy, you should notify your database of the changes so they can be aware of what they have opted-in to. In addition to this, if you are considering sharing data internationally, always be mindful of compliance for the respective laws of international data sharing, for example, EU – US and Swiss – US Privacy Shield frameworks etc.

Q. Should I be contacting my existing database to get consent for sending them emails moving forward? [Answered by Cendyn]
A. If you’ve been following an opt-in consent model, you should already have an auditable trail that will prove consent has been received from those individuals. If that is the case, you do not need to contact your database again to gain consent. If, however, you do not have this, you have a small window before May 25, 2018 to engage with your database and encourage them to provide their consent to receive communications from you. There are a few ways of doing this and we outline them in our guide ‘Hotelier’s guide to gaining consent for GDPR’.

Q. Do I need to provide options for what type of content users want to subscribe to in newsletter sign up forms? (i.e. restaurant only, offer only, hotel updates only etc.) [Answered by Cendyn]
A. Absolutely, the more granular you can get the better. We suggest setting up an email preferences page or subscription centre that allows individuals to determine exactly what information they’d like to receive from you – this could be in the form of interests they may have (watersports, skiing, golf, spa etc) and/or it could be with regards to the type of emails they would like to receive (newsletters, events, news etc)

Q. If my database has only signed up to receive newsletter updates from my hotel, can I send them other types of emails too? [Answered by Cendyn]
A. No, this is important to remember and is the reason we suggest creating an email preferences page. This ensures the individuals in your database only receive information on the topics they are interested in. It’s important to remember that a key aspect of GDPR is transparency, the more transparent you are with your database the better the relationship will be.

Got a question?

Add it to the comments below and Hotel Speak will reach out to our community for an answer.

Sam Weston is an experienced digital marketing professional who has worked both client and agency side with a focus on the hospitality industry. Currently, he is Marketing Manager for a full service creative and digital marketing agency, 80 DAYS, based in Edinburgh, Scotland. Any views expressed on this site are his own.